Employees often take private data when they leave
Intentions not malicious, but practice still poses risk to companies
Most employees see nothing wrong with taking their employer's confidential data out of the office — and about half even take it with them to their next employer, a study has found.
Meanwhile, even when they are not changing jobs, a majority of employees are putting sensitive corporate information at risk by transferring confidential corporate data to their personal devices, personal email accounts and cloud services such as file transfer service Dropbox, said the report titled, "What's yours is mine: how employees are putting your intellectual property at risk."
It was commissioned by the internet security company Symantec from the Ponemon Institute, a private U.S. research organization focused on privacy, data protection and information security policy.
The internet survey of 3,317 employees in the United States, United Kingdom, France, Brazil, China and Korea, conducted in October 2012 and released this week, found that:
- Seventy-four per cent of respondents had access to confidential or proprietary corporate data such as customer data, contact lists, employee records, financial reports, software tools and confidential business documents.
- Among the 15 per cent of respondents who changed jobs or lost their jobs in the previous 12 months, 50 per cent took confidential company data or information with them and 40 per cent of those who took the data planned to use it to help them in their new job.
- Sixty per cent of respondents said a co-worker hired from a competing company has or mostly likely has brought documents from his or her former employee and offered them to their new co-workers.
- Fifty-two per cent of respondents didn't see the use of such documents as "a crime," and 29 per cent though it was wrong only if the data was sold for profit.
According to Symantec, the results are considered accurate within plus or minus 3.5 percentage points.
Costly to companies
Giuseppina d'Agostino, a law professor at Osgoode Hall Law School in Toronto, warns that the sharing of confidential data or trade secrets can "make or break" a company.
Lisa Stam, a lawyer at the Toronto business law firm Baker & McKenzie LLP who represents employers in employment, labour and human rights cases, agrees that the loss of corporate data can be very costly to companies.
"In the computer and tech world, harm can happen when a competitor gets an unfair advantage from using another employer's data — it definitely happens," she said. "We have a very busy [intellectual property] department here."
Once that occurs, she added, it's often too late.
"In those circumstances where you want to actually shut down the use of the information, it's hard to do," said Stam, who blogs about issues related to workplace law and technology.
Stam noted that non-compete agreements, which bar a former employee from working for or starting a competing company, are "very hard to enforce" in Canada. It's easier to get courts to enforce breach of confidentiality provisions, she said, but only if companies got employees to sign a confidentiality contract in advance.
Linda Park, senior product marketing manager for data loss prevention at Symantec, said companies are trying to do something about the problem by putting data protection policies in place and doing awareness training.
"The gap is it may not be as effective as they think it is," she said.
Employers themselves may be partly to blame — 68 per cent of respondents said their companies rarely or never took steps to use information obtained from a competitor.
Stam said employees who bring confidential data to their new employer aren't trying to harm their former employer. They are just trying to meet the expectations of new employers.
"When you go to a new employer, that new employer expects you to have a body of knowledge and it's hard to pull that out of the air," she said.
"New employers need to also adjust their expectations — if you really want to shut down all transfer, all employees have to start from square one."
Part of the problem is also that employees are confused about who owns the data, she added.
"It strikes me as a natural extension of this whole democratization of information. It lulls people into thinking that everyone or no one owns the information."
Employees often think they have some rights to the work they create or co-author.
In fact, Stam said, in Canada, any product that an employee creates in the course of employment belongs to the employer, from client lists to Twitter accounts to computer source code.
Employees routinely take data home
What makes it easy for workers to take their former employees' data with them is that there are typically large amounts of it on their personal computers, tablets, smartphones or internet file sharing tools at all times. The Symantec study found:
- Fifty-two per cent of respondents email business documents from the workplace to their home computers via their personal email accounts.
- Sixty-two per cent believe there are times when it is acceptable to transfer work documents to their personal computer tablet, smartphone or internet file sharing tools.
- When asked why they thought it was acceptable, 53 per cent of respondents said sharing the information doesn't harm the company, 51 per cent said the company has a policy that is not strictly enforced and 44 per cent said the information was not secured.
- Sixty-six per cent said they rarely or never take steps to remove, erase or delete business documents from their personal computers or tablets after using them.
- When asked why they didn't erase the data, 69 per cent said it takes too much time, 42 per cent said management doesn't really care, 38 per cent said no one will know whether it was done or not and 36 per cent said no policy required them to do the erasing.
Stam observed that a lot of that data leakage by employees seems to be done "with good intentions" — so employees can work at home after hours.
"Employers have to pause and think about whether they're encouraging this," she added.
Park noted that employees also don't believe there will be any negative consequences for themselves.
"Even though companies may say they have a data protection policy," she said, "they [employees] don't believe the company is going to enforce it."
D'Agostino said it's true that cases involving documents taken by a former to a competitor are hard to prove and expensive to litigate. However, companies do take action if the stakes are high enough. She pointed to the 2007 U.S. case of an ex-Coke employee who got eight years in prison for trying to sell Coke's secret formula to Pepsi, and said there have been some similar but lower profile cases in Canada.
Advice for employers, employees
The report recommends that employers be more proactive and protect themselves by:
- Doing more to educate employees.
- Enforcing non-disclosure agreements, which should include, in checklist form a description of information that departing employees my and may not take with them.
- Using technology to monitor where corporate data is going and how it's leaving and notify managers and employees when sensitive information is inappropriately sent or copied.
As for employees, d'Agostino recommends that if they want to secure some rights over their work, they should negotiate this with their employers up-front.
Stam recommends that employees make sure they really understand what their contract requires of them with respect to confidentiality. She added that employees who want to maintain control over their social media such as blogs and Twitter accounts should do it in their own name and on their own computer, wherever possible.